toggle

AAPL Stock: 524.75 ( -6.95 )

Printed from http://www.macnn.com

Security firm warns against iPhone web dial

updated 10:30 am EDT, Tue July 17, 2007

iPhone web-dialing flaws

A web security company is warning against using a feature of the iPhone's web browser. According to SPI Dynamics, the ability to tap a Safari link and have it dial a number may be convenient, but it may also be exploitable by attackers. Examples given include the ability to track phonecalls, or redirect them to a number of an attacker's choosing, such as a 1-900 number; more serious threats involve calls being placed without confirmation, an infinite calling loop that can only be escaped through shutoff, or even the blocking of phonecalls altogether.

Worsening problems is the choice of three different vectors: while malicious, original websites are an option, it is also possible to abuse the cross-site scripting of legitimate sites, or deliver code through a web worm.

SPI says it reported its findings to Apple earlier in the month, with whom it is cooperating to close exploits; until then, it suggests that iPhone owners simply avoid dialing from Safari for whatever reason.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. glasshalffull

    Joined: Dec 1969

    0

    non-issue

    Haven't we been over this already? Tapping a number form Safari does not dial the number. It puts the phone in a mode ready to dial the number, shows you the number that will be dialed on the screen. If it's not the right number then you simply press cancel. Safari on iPhone cannot directly dial telephone numbers.

    This is a total non-issue as far as I can see. Who makes this c*** up anyway, and who is dumb enough to post it as news?

  1. wings_rfs

    Joined: Dec 1969

    0

    "May be"?

    " may also be exploitable" When the key word changes from "may" to "can", wake me. I've heard so many cries from the anti-virus people that so-n-so feature COULD BE exploitable that I've pretty much become immune to the alarms and warnings issued by these guys. When the day comes that we start seeing real world active exploits in the wild, then and only then will I start to take their warnings seriously. Until then I'll go on with the belief that their cries of impending doom is really the cries of their own insignificance.

  1. glasshalffull

    Joined: Dec 1969

    0

    security alert

    An insecurity company has identified a critical security exploit related to telephone touch tone dialing pads. If a user incorrectly press the key labeled "9" instead of the key labeled "8" when attempting to dial 1-800 numbers they be inadvertently be directed to a pay-per-minute services.

    The manufacturer's of all telephones supporting a dialing pad where the number 9 key is adjacent to the number 8 key have been notified of the possible exploit.

  1. BDLatimer

    Joined: Dec 1969

    0

    Non-issue

    Agreed: This "possible exploit" is nothing but an attempt to spread unsubstantiated FUD about the iPhone. I especially loved reading about how an "an infinite calling loop that can only be escaped through shutoff" could come about. (Um, "how", again?)

    Oh, and re: "security alert" - WELL stated ;-)

  1. testudo

    Joined: Dec 1969

    0

    Re: non-issue

    Haven't we been over this already? Tapping a number form Safari does not dial the number. It puts the phone in a mode ready to dial the number, shows you the number that will be dialed on the screen. If it's not the right number then you simply press cancel. Safari on iPhone cannot directly dial telephone numbers.

    This is a total non-issue as far as I can see. Who makes this c*** up anyway, and who is dumb enough to post it as news?


    Maybe you're right, but how many people pay attention to such things? Oh, you have to click "Send" before it goes out? Gee, and we know everyone will read the number, make sure its correct, and then hit "send".

    Another way to look at this would be to compare it to phishing. Phishing succeeds because there's a small minority of users who don't check that they've gone to the site they've clicked a link on, or notice that its not a secure site (safari doesn't help here, giving people no better visual cue then a small padlock in the corner, as opposed to messages, colored address bars, etc), enter in some info, and, boom, they've just gave their bank passowrd to nefarious types.

    Sure, all standard Mac and Apple users are way too intelligent to fall for such deceit. But the iPhone is being used by poor, ignorant Windows users as well. And you know THOSE people. They never pay attention to anything.

  1. glasshalffull

    Joined: Dec 1969

    0

    stupidity patch

    If users choose to ignore dialogs there's not much you can do. I know of no stupidity patch.

  1. glasshalffull

    Joined: Dec 1969

    0

    UAC

    Speaking of Windows users, isn't it exactly that which MS is expecting of users with it's User Access Controls?

    Present them a dialog for everything and expect them to decide what is safe..

  1. Guest

    Joined: Dec 1969

    0

    blocked?

    per AT&T website:

    "Blocked Numbers

    AT&T used its right to block access to certain numbers to prevent various numbers from being dialed from the wireless handset. Most of these numbers are used by conference calling services and chat lines that claim to be "free". However, AT&T incurs a significant cost for these calls, and such costs are detrimental to our ability to continue to provide reasonably priced calling services to our customers.

    The following number exchanges are restricted from being dialed from the wireless handset:

    * 1-900 numbers * Any NPA + 976, regardless of the long distance provider * Certain chat and conferencing services that result in the end user and/or AT&T being charged excessive rates "

  1. CorDog

    Joined: Dec 1969

    0

    May?

    You "May" be killed in an auto accident driving your car to work, so you better quit driving to work!

  1. hayesk

    Joined: Dec 1969

    0

    To: testudo

    "Another way to look at this would be to compare it to phishing"

    That would be an incorrect way of looking at. The number looks exactly like the number that will be dialed. It's not like Phishing where the website looks like another website.

    Eventually users need to take responsibility for their own actions. Anyone who falls for this is not because the UI led them astray, but because they are lazy or stupid. This is not phishing.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

STM Trust technology bag

The search for a good messenger bag that doubles as a laptop bag is something many travelers find themselves facing at least once. Bet ...

PenClic Bluetooth mouse

Windows 8 aside, computer users have been trained that a mouse is the proper way to navigate through the desktop for many years now. T ...

Booqpad for iPad Air

Before we get rolling, I'll confess: I've never understood the purpose of cases like the Booqpad. If you've got a tablet, surely p ...

toggle

Most Commented